A blog about the art of cyber-jutsu: information security as a martial art.

Tuesday, October 13, 2009

A Healthy Body - A Healthy System

Daily activities are very important to all systems.

Your body is a system, and it requires things every day in order to stay healthy. Daily physical activities such as stretching, and walking can prolong a healthy life. Proper stretching increases blood flow to parts of the body which may not otherwise receive enough nutrients. Joints are better lubricated, the subtle parts of the anatomy are encouraged to transmit energy, and stress can be melted away through the activity of stretching your entire body. Likewise, a mild activity such as walking will burn "extra" calories away. All things which are "extra" must be cut away. In this case, we burn them away, naturally, within the system that is our body.

Not unlike the human body, computers are systems which need daily activities performed for a healthy long life. Some might argue that some systems are more important than others, but this is not so. Just as every human life is important, so too, the well-being of every computer system is important when considering information security and cyber-jutsu. The unhealthy human body may contract and mutate a strong virus that will then infect many people. So too, an unprotected or unpatched computer system may be attacked, exploited, and infected, ultimately becoming the downfall of neighboring computer systems.

On the subject of patches, it is very important to understand what I mean. All software programs have flaws, because that is the nature of computer programs. The creators of computer programs, humans, are not perfect; so, why would their programs be without flaws?

Even when a programmer creates a program that is perfect by today's standards, tomorrow may yield a new standard or change to a standard. Therefore, sometimes, the programmer must "fix" his code today, which was perceived flawless yesterday. However, most programmers work in teams, which are led by managers, who are hired by directors, who report to small groups of people expecting a profit from their investment. This is neither good, nor bad. It just is. The reality is that there is more money in releasing the next new software program than there is in fixing an already released, but flawed software program. Seek not to place blame, but to understand. When software companies do fix flaws, those fixes are, generally speaking, released to the public as patches.

Understanding all of this is important for you to perfect your cyber-jutsu. You must understand that the flaws we are talking about do not prevent the computer program from performing the function they were designed to do. If that were the case, all the customers would scream, and the board would be unhappy if many people were screaming. So too, the directors would shift priorities from the new program being developed back to fixing the previous, flawed program. The managers would manage. The programmers would switch their focus and try to fix the issue. However, breaking one's concentration while programming can lead to more mistakes. Also, the user of the program would implement the patch as soon as it was released. I have seen all of this. This is very clear. But these flaws that we speak of for the sake of our cyber-jutsu, these 'bugs' are not of a type that cause a program to clearly malfunction.

You may ask, "If the program performs the function is was designed to do, then how can we call it flawed?" Herein is the heart of the matter. The "flaw" that we refer to regarding security issues with computer programs is often called a "vulnerability". This type of programming flaw does not stop the program from performing as expected; but, it does create an opportunity for an attacker to force the program to perform in a way that was not anticipated or desired. An attacker, who knows of a vulnerability, can provide the program with input designed to exploit this vulnerability. If an attacker succeeds in exploiting a vulnerability, that attacker has forced the computer program to do something it was not designed to do. In the worst cases, the attacker can take complete control of the exploited computer system without the knowledge of its legitimate user. The best way to defeat such an attacker is to remove the vulnerability by applying the patch provided by the software vendor, when one is available.

You may ask, "Why is this important to my cyber-jutsu?" I would answer, "All of your systems must be healthy, if you are to master cyber-jutsu".

If I told you to patch your systems, and you did not understand the systems as I understand the systems, what would you patch? What systems are we talking about? Are not all of the systems working together? Are not the human systems working within the systems that create programs? If your mind is not sharp, and focussed, will you not error? All of us, our cyber-jutsu must start with the maintenance of the human system, for it is our foundation.

If you are a programmer, and work within the system that creates programs (i.e. a software company), you can effectuate cyber-jutsu in that system to help reduce vulnerabilities. But, if you are like most cyber-jutsu practitioners, you are a user of the output of such a software vendor. In such a case you cannot always easily impact the way they do business. Therefore, you must understand, and not have false expectations of vulnerability-free software. You must be aware of what you have installed within your computer system. You must be aware of the boundaries of the cyberspace that you control.

Each of us can only impact the systems we are responsible for. Each of us is responsible for the system which is the human body we exist within. So too, each of us is responsible, to varying degrees based upon ownership, for the computer system(s) we interface with. No company intranet can be secure without someone taking responsibility for each and every computer system connected to it. In your home, you own and are responsible for your computer. At work, the IT department may own the responsibility of maintaining your system(s). But, you still own your actions when you interface with that computer.

When I tell you that you must look for patches to your system every day, does it sound extreme? When I say "patch your system", what do you perceive as your "system"? If I told you that your computer system was every single program running on it, and every single computer that you are connected to, and all of the programs those systems are running, would it sound extreme? It might sound extreme to one who owns yet denies their responsibility; but, it would be no less true.

If perpetual maintenance of the systems you are responsible for sounds extreme or unrealistic, you must examine your desire for healthy systems. What is the goal of your cyber-jutsu? Do you want to 'seem' secure, or do you want to be secure? Do you want to say that you are 'managing risk', while you are really staying ignorant to the threats within your cyberspace? If so, you are not alone. I have met many CIOs and IT Directors who play this game within their minds, and spread lies in board rooms about the impossibility of really being secure as a means to shirk their responsibilities. Am I promising a perfect and impenetrable system? Of course I am not. But to avoid doing what is known to be effective for the gain of the money not spent doing it, is irresponsible at best - and in the worst cases, it is criminal. To continue to deploy more and more systems in an effort to make things easier and save money, without also engaging someone who can be responsible for each new system leads to an unbalanced state. When we defend, we must maintain our center, we must maintain balance. When we attack, we seek first to unbalance our opponent. Truly starting in an unbalanced state is poor cyber-jutsu.

All are welcome here in this cyber-jutsu dojo, if they have a desire to learn and apply the art. I have much to teach you. I hope you find here what you seek.

Support the Cyber-Dojo

About Me

I am a current and active Certified Information Systems Security Professional (CISSP), and have received a certificate for the SANS GIAC Reverse Engineering Malware (GREM) training.
As a high-school student in the mid 1980's, I was sysop and co-sysop of several Bulletin Board Systems (BBS) run on both IBM computers as well as Atari systems.
While in the USAF in the late 1980's, I was stationed at Yokota AFB, Japan for over 2 years. I was a tech-controller, and a volunteer for the Air Base Aggressor Team, which performed penetration tests against both the permanent station and deployed field units.
I furthered my education at Middlesex County College, in New Jersey, and the Rochester Institute of Technology (RIT).
For the past ten+ years, I have acted in an Information Security Consulting capacity for such large corporations as Xerox, and GE, as well as numerous large hospitals and small businesses across these United States.
I am an active freelance writer and Information Security Consultant.
I own and operate CyberCede Corporation. You can find out more about CyberCede at http://www.cybercede.com